Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part 2: Input validation attacks continued …

Similar presentations


Presentation on theme: "Part 2: Input validation attacks continued …"— Presentation transcript:

1 Part 2: Input validation attacks continued …
Prem Uppuluri, PhD Asst. Professor Radford University, Radford, VA Notes on these slides are primarily from: slides provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13:  This is a recommended textbook for the course.

2 Input size validation is good, but not enough …
Need to also validate “type” of input. Just validating the size isn’t enough!! Examples (next): SQL injection, HTTP parameter tampering, Cross Site Scripting attack.

3 The rest of this lecture is not from the textbook. Please take notes.

4 Next: SQL injection attack
Next: SQL injection attack. Before that: Everything we need to know for the moment about SQL Consider a University database that maintains information about every student such as: their id, major, the specific concentrations in their major, the core courses of their concentration etc… This information can be organized into multiple tables. E.g., studentTable can contain the columns: student name, SSN, major, courses taken majorTable can contain the columns: information about the major, and different concentrations in the major. concentrations table can contain columns such as concentration name, core courses, electives credit hour requirement etc. Database Management Systems (such as Oracle) provide a language that allows users to create or update such tables and query the tables.

5 Everything we need to know for the moment about SQL (2)
SQL (Structured query language). It is the language used to query relational databases such as Oracle. It falls under a class of programming languages called Domain Specific Languages (DSL). How is a DSL different from a generic high-level programming language such as Java? As the name suggests DSLs are programming languages very specific to a domain, e.g., databases (or) programming routers. Some of the things you can do with SQL Create tables in a database. E.g., creating a student table and a concentration Query tables (multiple tables at a time) to extract information. E.g. What are the core courses a student Xunil must take? This involves querying two tables: student table and concentration table.

6 Some common queries in SQL
Creating a table create table studentTable (studentName String, SSN long, …) Querying a table select * from studentTable returns all the entries from SQL table Inserting insert into studentTable (studentName) values (“Xunil”) © Daswani

7 WebServers + Databases (2)
Webservers can connect to the databases using different types of technologies: E.g., JDBC (if webserver is running Java based extensions) or through .net (in case it is based on ASP .net technology) So let us see at a high-level how the technology works. © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

8 A common configuration of a web-server
A common configuration of a web-server. Example of a webserver for a library. Web Browser (Client) Web Server Of the Library DB Contains List of books © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

9 WebServers + Databases (2)
Using the web-server: Step 1: User (web client) requests the catalogSearch.html file. Step 2: The user then enters the keyword to search and presses “submit” At this time, the following request is sent to the WebServer: GET /submit_search?keyword=‘computer’&’security’ (Example shown in class using McConnell library) Web Server Of the Library Web Browser (Client) © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

10 WebServer + Database (4)
Step 3: The webserver contacts the DB for information: The code that connects to a database from the webserver then constructs an SQL query to get information from the database Assume we are using C# on ASP .net the specific C# code snapshot could be: sql_query = “SELECT bookRecords ” + “FROM catalogTable “ + “WHERE bookname = “ + request.getParameter(“BookName”); SQLQueryResult = SqlCommandObj.sqlcommand(sql_query); // return result to the user (web client) Web Server Of the Library DB Contains List of books © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

11 WebServers + Databases = An Insecure Mix!
Summarizing: SELECT bookRecords FROM catalog WHERE bookName IS ‘Computer Security’ Web Browser (Client) Web Server Of the Library DB Contains List of books Search term: Computer Security © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

12 Attack! © Daswani Now let us see, how to attack.
Goal: An attacker would like to somehow damage the database or extract information illegally. Any ideas? String desiredBook = myWebForm.getParameter("bookName"); sql_query = "SELECT BookRecords " + "FROM Catalog " + "WHERE title = '" + desiredBook + "'"; SQLQueryResult = SqlCommandObj.sqlcommand(sql_query); // return result to the user (web client) Can we do something with the request's parameter bookName, which was taken (say) from a web form? © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

13 Attack (2) © Daswani SELECT BookRecords FROM Catalog
What if the book's name were: Computer Security'; DROP TABLE Catalog -- ? Then the java program will be constructing the following string, which it will then give to the database: SELECT BookRecords FROM Catalog WHERE title = 'Computer Security' ; DROP TABLE Catalog --' In SQL, the character “;” separates multiple commands. This has the effect of deleting the Catalog from the database – a DoS attack. (The “--” begins a SQL comment, so that the query's trailing quote character isn't a SQL syntax-error.) © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

14 SQL Injection Another Example
© Daswani Web Browser (Client) Enter Username & Password Web Server DB SELECT passwd FROM USERS WHERE uname IS ‘$username’ Attacker will modify Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

15 SQL Injection Example © Daswani
Here is an expected working of a user login. Here an upstanding-citizen Mr. Smith has entered his username and hard to break password… © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

16 SQL Injection Example The request for “smith” is processed by the webserver by creating a SQL query to the database to get Mr. Smith’s password… Web Browser (Client) Enter Username & Password Web Server DB SELECT passwd FROM USERS WHERE uname IS 'smith' © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

17 SQL Injection Example © Daswani
Now, here is how an attacker could misuse this system… (turns out Mr. Smith isn’t all that upstanding). Under user name: enter an SQL query… © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

18 SQL Injection Example Enter Username & Web Password Web
Under user name: enter an SQL query, which results in the following query. The “;” is used to separate multiple SQL queries…. DROP TABLE results in the table being erased. Enter Username & Password SELECT passwd FROM USERS WHERE uname IS ''; DROP TABLE USERS; --' Web Browser (Client) Web Server DB Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13:  © Daswani

19 Result SQL Injection Example
First the SELECT Statement executes; produces no results Then the DROP TABLE Statement executes; no user will be able to log in! © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

20 There are several possible attacks.
SQL Injection attacks There are several possible attacks. We have already seen DROP table. Some other examples: INSERT INTO adminTable(name, passwd) VALUES ('prem', …) SELECT * FROM LibraryUsers will reveal information about all the library users (if they happened to be an actual table name). Where can we insert these malicious SQL commands: Either in the form fields Or in the URL itself. © Daswani Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

21 Other type of SQL injection attacks
The previous attack requires knowing a table-name. But depending on how query is written, may be other vulnerabilities: -- expected use: Select * from … where username='bob' and passwd='xyz' -- an attack: Select * from … where username='bob' and passwd = 'xyz' or 1=1 --' Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

22 Preventing input validation attacks.
How to fix it? Validate the input! Filter out: Any character that has special meanings apostrophe, double-quote, newline, backslash; how about: semicolon? percent sign? hyphen?? Functions for escaping any SQL-specific characters available: don’t splice $userInput into your query, but rather sanitizeSQL($userInput). Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

23 Solutions to SQL injection attack
(1) Blacklisting: disallow bad chars Scan input for single-quote char etc., and eliminate them (or, quote them). For example: SELECT passwd FROM USERS WHERE uname = '\'; DROP TABLE USERS; -- ' The attack won’t work any more; SQL now properly interprets this as a string whose first character happens to be '. But also, remember to also check for double-quote; newline; backslash. Forgetting to blacklist or quote even a single bad character may cause problems. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

24 2) Whitelisting: only allow safe chars
Solutions (2) 2) Whitelisting: only allow safe chars (and flat-out reject other chars) The principle of fail safe defaults. In this case, only limit the possible inputs to certain characters. However, this may not always be user friendly (Peter O'Toole and Mötley Crüe can't use your site). Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

25 Dropping tables. Cartoon © xkcd

26 To understand this attack, we need to know the HTTP protocol.
HTTP basics. To understand this attack, we need to know the HTTP protocol. HTTP protocol supports two messages: GET allows you to download webpages PUT allows you to upload data/webpages.

27 STEP 1: User types a request. E.g.,
HTTP basics A web site usually operates as follows: STEP 2: Request gets translated into HTTP protocol by the web browser: . STEP 1: User types a request. E.g., User (Client) Web Browser (Client) E.g., IE, Firefox etc. Web Server (E.g., MS IIS, Apache) Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

28 HTTP basics User (Client) Web Browser (Client) E.g., IE, Firefox etc.
STEP 3: Webbrowswer responds to the request (with a status message and (optionally) the website). Example: status message: HTTP 200 OK + website or HTTP 404: website not found. Sample status messages: User (Client) Web Browser (Client) E.g., IE, Firefox etc. Web Server (E.g., MS IIS, Apache) Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

29 HTML input fields Some HTML causes the browser to generate input forms (pull-downs, checkboxes, text boxes…) Example: a sample form When user presses "submit", it's just like requesting another web page, except that the input fields are included in the http header.

30 A user can 'show-source' to see the HTML the browser gets.
Forging input fields A user can 'show-source' to see the HTML the browser gets. We can save-as, edit the file, and then submit w/ bad data! Solutions? Validate the data server-side, too.

31 Hidden parameter manipulation attack
Objective: If the page uses a hidden input in their HTML page, then alter it for fun and profit. HTML (web pages) support “hidden inputs” in forms. These are fields that are not displayed by the browser but still embedded inside the web page. A web programmer might use these to solve the "http state problem": how to remember on a later page, what was entered on an earlier page. Unfortunately, “Hidden” fields in HTML are not really hidden Also, validating input at client (i.e., with JavaScript) is ineffective for security

32 Detailed explanation. HTML provides support for: “hidden inputs”.
These are data that is embedded into an HTML form but is not displayed on the browser, but will be returned (back) to the server upon 'submit'. It was originally designed to support the “shopping cart” functionality. E.g., Assume you add an item into a shopping cart and 'submit'. Assume the lazy webserver doesn't remember your item; instead it returns the shopping page, but w/ your item stored as a hidden input. If the user later submits that (new) shopping page, it will submit the new purchase and the old, hidden input. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

33 HTTP parameter tampering attack: Buying Pizza Example
Goal: trick the credit card gateway into charging a different amount. Order 1 Pizza Web Browser (Client) Web Server Credit Card Payment Gateway OK; [cost $5.50] Confirm? Yes; [cost $5.50] Clients browser controls this response Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13:  Modified by Ian Barland

34 Buy Pizza: order.html Assume the pizza restaurant has the following website. STEP 1: User enter number of pizzas, credit card no, and then clicks on “ORDER”. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

35 Confirm Order: confirm.cgi
STEP 2: The pizza restaurant’s web-server responds with the following message to confirm order. (Typo in the figure below: should  sure (Are you sure you would like to order?) STEP 3: Attacker doesn’t immediately click “yes”. Instead ... Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

36 Confirm Order: View Source
STEP 4: Attacker doesn’t immediately click “yes”. Instead attacker, gets the “source” of the HTML file to see if the number $5.50 is hidden in some hidden field. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

37 Price variable is not (really) hidden!
STEP 4 (cont'd…): Notice that the value of the pizza 5.50 is being stored as a hidden input field. The server presumes that, since hidden, the client can't see it or change it. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

38 Next… The “price” is a hidden input: that is, the server asks the client (browser) to not show it, but to still consider it as if it had been typed by the user. If the “yes” button is clicked now, the submitted form would include "pay=yes" and "price=5.50". Server would then charge the credit card $5.50 and dispatch the delivery person. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

39 Attacker changes price!
STEP 5: Attacker changes the price of the pizza. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

40 Save, reopen, and submit! STEP 6: Saves the new html file.
Attacker saves as attack.html Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

41 Confirm Order: attack.html
STEP 7: Sends the request off by clicking on “yes”.. Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13: 

42 Buying Pizza Example Web Web Browser (Client) Server
Credit Card Payment Gateway Order 1 Pizza OK; [cost $5.50] Confirm? Submit Order $0.01 Yes; [cost $0.01] Server has blindly relayed the attacker's tampered price!!! Example slide provided with the textbook: Foundations of Security: Neil Daswani et al. ©Neil Daswani , ISBN-13:  Modified by Ian Barland

43 HTML Injection attack In HTML, angle-brackets don't represent text; they represent the structure of the text (e.g. where paragraphs start/end, what text is a header, etc.). If a browser, when receiving a string of HTML, sees a '<' it knows to treat that as a tag, not as text.

44 HTML Injection attack 2 A server might often create a page containing "<p>Hello, $name, how are you?</p>" where $name was taken from previous user input. What characters might be inside $name, that would confuse the browser? Try this form.

45 HTML Sanitization (Recall: this is the same problem where user-input was spliced into strings that then were used as SQL queries.) If you want a browser to display a less-than symbol as text, you want to use "<" instead of "<".

46 The function sanitizeHTML just replaces each '<' with "<", etc.
HTML Sanitization 2 Solution: replace any chars that would represents HTML structure, with a string that represents HTML data: $nameAsHTMLData = sanitizeHTML($name); echo "Hello, $nameAsHTMLData, how are you?</p>"; The function sanitizeHTML just replaces each '<' with "<", etc.

47 Next attack: Cross Site Scripting
Preliminaries: What is a JavaScript? What is an applet? Many web clients support JavaScripts. If your client supports java scripts then a webserver can make your client (browser) run a java script. Example: How does this work? Javascripts can be internal or external (see example in the URL above). Also JavaScripts can take input from the URL. Cross-Site-Scripting takes advantage of these external javascripts with input from URL

48 Cross Site Scripting (2)
If you browse to a HTML page that takes input from URL – you are in trouble! Why? E.g., let the URL be: Let us assume this website takes the string “hello” and prints “hello”, ie.., it returns the HTML page: <p>Hello</p> Now an attacker if he/she is able to manage to convince you to click on: The website will return an HTML page; <p><script>src=“bad_script”</script></p> If the bad_script is a malicious javascript program, then we are in trouble.

If the bad_script is a malicious javascript program, then we are in trouble.", "width": "800" }

49 Tools There are some good tools that will allow you to achieve this attack without going through the preceding steps: WebScarab This is a web proxy – that you can run on any machine. It simply intercepts all the requests from your browser as well as the responses that your browser gets. Provides controls to edit HTML fields etc. In upcoming HW, you will be using WebScarab.

50 Other type of Application level attacks
Race conditions

51 Race Condition attacks
Client: checks file attributes Client: verify the user could write file X Client: Write file (as root, on behalf of the authorized user) Attacker: changes file permissions in the window between client's checking and use Attacker deletes file(name) X Creates symbolic link from X to privileged file (e.g. /etc/passwd) This requires only directory-write privileges Attack as a result of interaction between multiple processes.

52 Why synchronization is necessary ? Reason 2: Security
Example attack: Race condition attacks Some programs such as gcc/g++ create temporary files They assume that the temporary file hasn’t changed from the time of creation till they time they write. Hence, there is a small time window, which can be used by attackers (see figure below). Called a race condition because two processes (gcc is one, the attacker’s process is the other) are racing to access the same resource. Check if user can write file X Write file X Attacker deletes X Creates symbolic link to privileged file Create temporary File X Delete or write file X

53 Next: Cryptography.


Download ppt "Part 2: Input validation attacks continued …"

Similar presentations


Ads by Google